ARP4761

ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment is an Aerospace Recommended Practice from SAE International.^[1] In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment

Abbreviation	ARP4761A
Latest version	A December 2023 (2023-12)
Organization	SAE International
Domain	Aviation Safety
Website	www.sae.org/standards/content/arp4761a/

This Recommended Practice defines a process for using common modeling techniques to assess the safety of a system being put together. The first 30 pages of the document covers that process. The next 140 pages give an overview of the modeling techniques and how they should be applied. The last 160 pages give an example of the process in action.

Some of the methods covered:

• Functional Hazard Assessment (FHA)
• Preliminary System Safety Assessment (PSSA)
• System Safety Assessment (SSA)
• Fault Tree Analysis (FTA)
• Failure Mode and Effects Analysis (FMEA)
• Failure Modes and Effects Summary (FMES)
• Common Cause Analysis (CCA), consisting of:
  • Zonal Safety Analysis (ZSA)
  • Particular Risks Analysis (PRA)
  • Common Mode Analysis (CMA)

Safety life cycle

The general flow of the safety life cycle under ARP4761 is:

1. Perform the aircraft level FHA in parallel with development of aircraft level requirements.
2. Perform the system level FHA in parallel with allocation of aircraft functions to system functions, and initiate the CCA.
3. Perform the PSSA in parallel with system architecture development, and update the CCA.
4. Iterate the CCA and PSSA as the system is allocated into hardware and software components.
5. Perform the SSA in parallel with system implementation, and complete the CCA.
6. Feed the results into the certification process.

The Functional Safety process is focused on identifying functional failure conditions leading to hazards. Functional Hazard Analyses / Assessments are central to determining hazards. FHA is performed early in aircraft design, first as an Aircraft Functional Hazard Analysis (AFHA) and then as a System Functional Hazard Analysis (SFHA). Using qualitative assessment, aircraft functions and subsequently aircraft system functions are systematically analyzed for failure conditions, and each failure condition is assigned a hazard classification. Hazard classifications are closely related to Development Assurance Levels (DALs) and are aligned between ARP4761 and related aviation safety documents such as ARP4754A, 14 CFR 25.1309, and Radio Technical Commission for Aeronautics (RTCA) standards DO-254 and DO-178B.

Hazard Classification	Development Assurance Level	Maximum Probability per Flight Hour
Catastrophic	A	10−9
Hazardous	B	10−7
Major	C	10−5
Minor	D	--
No Effect	E	--

FHA results are normally shown in spreadsheet form, with columns identifying function, failure condition, phase of flight, effect, hazard classification, DAL, means of detection, aircrew response, and related information. Each hazard is assigned a unique identifier that is tracked throughout the entire safety life cycle. One approach is to identify systems by their ATA system codes and the corresponding hazards by derivative identifiers. For example, the thrust reverser system could be identified by its ATA code 78-30. Untimely deployment of thrust reverser would be a hazard, which could be assigned an identifier based on ATA code 78-30.

FHA results are coordinated with the system design process as aircraft functions are allocated to aircraft systems. The FHA also feeds into the PSSA, which is prepared while the system architecture is developed.

The PSSA may contain qualitative FTA, which can be used to identify systems requiring redundancy so that catastrophic events do not result from a single failure (or dual failure where one is latent). A fault tree is prepared for each SFHA hazard rated hazardous or catastrophic. Fault trees may be performed for major hazards if warranted. DALs and specific safety design requirements are imposed on the subsystems. The safety design requirements are captured and traced. These may include preventive or mitigation strategies selected for particular subsystems. The PSSA and CCA generate separation requirements to identify and eliminate common mode failures. Subsystem failure rate budgets are assigned so that hazard probability limits can be met.

The CCA consists of three separate types of analyses which are designed to uncover hazards not created by a specific subsystem component failure. The CCA may be many separate documents, may be one CCA document, or may be included as sections in the SSA document. The Particular Risk Analysis (PRA) looks for external events which can create a hazard such as a birdstrike or engine turbine burst. The Zonal Safety Analysis (ZSA) looks at each compartment on the aircraft and looks for hazards that can affect every component in that compartment, such as loss of cooling air or a fluid line bursting. The Common Mode Analysis (CMA) looks at the redundant critical components to find failure modes which can cause all to fail at about the same time. Software is always included in this analysis as well as looking for manufacturing errors or "bad lot" components. A failure such as a bad resistor in all flight control computers would be addressed here. The mitigations for CMA discoveries is often DO-254 or DO-178B components.

The SSA includes quantitative FMEA, which is summarized into FMES. Normally FMES probabilities are used in quantitative FTA to demonstrate that the hazard probability limits are in fact met. Cutset analysis of the fault trees demonstrates that no single failure condition will result in a hazardous or catastrophic event. The SSA may include the results of all safety analysis and be one document or may be many documents. An FTA is only one method for performing the SSA. Other methods include dependence diagram or reliability block diagram and Markov Analysis.

The PSSA and CCA often result in recommendations or design requirements to improve the system. The SSA summarizes the residual risks remaining in the system and should show all hazards meet the 1309 failure rates.

The ARP4761 analyses also feed into Crew Alerting System (CAS) message selection and the development of critical maintenance tasks under ATA MSG3.

Future changes

In 2004, SAE Standard Committee S-18 began working on Revision A to ARP4761. When released, EUROCAE plans to jointly issue the document as ED–135.

See also

• ARP4754
• DO-254
• DO-178B
• Safety engineering
• avionics

References

1. S–18 (1996). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. SAE International. ARP4761.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)